Move user/group constants for PKI and DS into ipaplatform

https://fedorahosted.org/freeipa/ticket/5619 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-01-19 14:18:30 +01:00 · 2016-01-19 14:18:30 +01:00 · 49be6c8d3c
commit 49be6c8d3c
parent 4f25b29605
12 changed files with 49 additions and 37 deletions
--- a/install/share/copy-schema-to-ca.py
+++ b/install/share/copy-schema-to-ca.py
@ -19,9 +19,9 @@ from hashlib import sha1

 from ipapython import ipautil
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
-from ipaserver.install.dsinstance import DS_USER, schema_dirname
-from ipaserver.install.cainstance import PKI_USER
+from ipaserver.install.dsinstance import schema_dirname
 from ipalib import api
+from ipaplatform.constants import constants

 try:
    from ipaplatform import services
@ -52,8 +52,8 @@ def _sha1_file(filename):
 def add_ca_schema():
    """Copy IPA schema files into the CA DS instance
    """
-    pki_pent = pwd.getpwnam(PKI_USER)
-    ds_pent = pwd.getpwnam(DS_USER)
+    pki_pent = pwd.getpwnam(constants.PKI_USER)
+    ds_pent = pwd.getpwnam(constants.DS_USER)
    for schema_fname in SCHEMA_FILENAMES:
        source_fname = os.path.join(ipautil.SHARE_DIR, schema_fname)
        target_fname = os.path.join(schema_dirname(SERVERID), schema_fname)
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@ -8,9 +8,13 @@ This base platform module exports platform dependant constants.


 class BaseConstantsNamespace(object):
+    DS_USER = 'dirsrv'
+    DS_GROUP = 'dirsrv'
    HTTPD_USER = "apache"
    IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
    NAMED_USER = "named"
+    PKI_USER = 'pkiuser'
+    PKI_GROUP = 'pkiuser'
    # ntpd init variable used for daemon options
    NTPD_OPTS_VAR = "OPTIONS"
    # quote used for daemon options
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@ -45,6 +45,7 @@ import ipapython.errors

 from ipalib import x509 # FIXME: do not import from ipalib

+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform.redhat.authconfig import RedHatAuthConfig
 from ipaplatform.base.tasks import BaseTaskNamespace
@ -438,14 +439,14 @@ class RedHatTaskNamespace(BaseTaskNamespace):
        This values should be constant and may be hardcoded.
        Add other values for other users when needed.
        """
-        if name == 'pkiuser':
+        if name == constants.PKI_USER:
            if uid is None:
                uid = 17
            if gid is None:
                gid = 17
            if comment is None:
                comment = 'CA System User'
-        if name == 'dirsrv':
+        if name == constants.DS_USER:
            if comment is None:
                comment = 'DS System User'

--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -66,8 +66,8 @@ from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
 from ipaserver.install import replication
 from ipaserver.install import service
-from ipaserver.install.dogtaginstance import (
-    PKI_USER, export_kra_agent_pem, DogtagInstance)
+from ipaserver.install.dogtaginstance import (export_kra_agent_pem,
+                                              DogtagInstance)
 from ipaserver.plugins import ldap2

 # Python 3 rename. The package is available in "six.moves.http_client", but
@ -279,8 +279,8 @@ def is_ca_installed_locally():
 def create_ca_user():
    """Create PKI user/group if it doesn't exist yet."""
    tasks.create_system_user(
-        name=PKI_USER,
-        group=PKI_USER,
+        name=constants.PKI_USER,
+        group=constants.PKI_GROUP,
        homedir=paths.VAR_LIB,
        shell=paths.NOLOGIN,
    )
@ -442,7 +442,7 @@ class CAInstance(DogtagInstance):
        # Create an empty and secured file
        (cfg_fd, cfg_file) = tempfile.mkstemp()
        os.close(cfg_fd)
-        pent = pwd.getpwnam(PKI_USER)
+        pent = pwd.getpwnam(constants.PKI_USER)
        os.chown(cfg_file, pent.pw_uid, pent.pw_gid)

        # Create CA configuration
@ -514,7 +514,7 @@ class CAInstance(DogtagInstance):

            cafile = self.pkcs12_info[0]
            shutil.copy(cafile, paths.TMP_CA_P12)
-            pent = pwd.getpwnam(PKI_USER)
+            pent = pwd.getpwnam(constants.PKI_USER)
            os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid)

            # Security domain registration
@ -609,7 +609,7 @@ class CAInstance(DogtagInstance):
            'ca.enableNonces=false')
        if update_result != 0:
            raise RuntimeError("Disabling nonces failed")
-        pent = pwd.getpwnam(PKI_USER)
+        pent = pwd.getpwnam(constants.PKI_USER)
        os.chown(paths.CA_CS_CFG_PATH, pent.pw_uid, pent.pw_gid)

    def enable_pkix(self):
@ -944,7 +944,7 @@ class CAInstance(DogtagInstance):
            os.mkdir(publishdir)

        os.chmod(publishdir, 0o775)
-        pent = pwd.getpwnam(PKI_USER)
+        pent = pwd.getpwnam(constants.PKI_USER)
        os.chown(publishdir, 0, pent.pw_gid)

        tasks.restore_context(publishdir)
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@ -33,8 +33,8 @@ import pki.system
 from ipalib import errors

 from ipaplatform import services
-from ipaplatform.paths import paths
 from ipaplatform.constants import constants
+from ipaplatform.paths import paths
 from ipapython import certmonger
 from ipapython import ipaldap
 from ipapython import ipautil
@ -45,9 +45,10 @@ from ipaserver.install import replication
 from ipaserver.install.installutils import stopped_service
 from ipapython.ipa_log_manager import log_mgr

-PKI_USER = "pkiuser"
+PKI_USER = constants.PKI_USER
 HTTPD_USER = constants.HTTPD_USER

+
 def get_security_domain():
    """
    Get the security domain from the REST interface on the local Dogtag CA
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@ -44,14 +44,15 @@ from ipalib import api
 from ipalib import certstore
 from ipalib import errors
 from ipalib import constants
+from ipaplatform.constants import constants as platformconstants
 from ipaplatform.tasks import tasks
 from ipalib.constants import CACERT
 from ipapython.dn import DN
 from ipaplatform import services
 from ipaplatform.paths import paths

-DS_USER = 'dirsrv'
-DS_GROUP = 'dirsrv'
+DS_USER = platformconstants.DS_USER
+DS_GROUP = platformconstants.DS_GROUP

 IPA_SCHEMA_FILES = ("60kerberos.ldif",
                    "60samba.ldif",
@ -708,7 +709,7 @@ class DsInstance(service.Service):
        self._ldap_mod("repoint-managed-entries.ldif", self.sub_dict)

    def configure_dirsrv_ccache(self):
-        pent = pwd.getpwnam("dirsrv")
+        pent = pwd.getpwnam(platformconstants.DS_USER)
        ccache = paths.TMP_KRB5CC % pent.pw_uid
        filepath = paths.SYSCONFIG_DIRSRV
        if not os.path.exists(filepath):
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@ -32,12 +32,12 @@ from ipapython import version
 from ipapython.ipautil import run, write_tmp_file
 from ipapython import admintool
 from ipapython.dn import DN
-from ipaserver.install.dsinstance import DS_USER
 from ipaserver.install.replication import wait_for_task
 from ipaserver.install import installutils
 from ipapython import ipaldap
 from ipalib.session import ISO8601_DATETIME_FMT
 from ipalib.constants import CACERT
+from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks

 """
@ -260,7 +260,7 @@ class Backup(admintool.AdminTool):

        self.log.info("Preparing backup on %s", api.env.host)

-        pent = pwd.getpwnam(DS_USER)
+        pent = pwd.getpwnam(constants.DS_USER)

        self.top_dir = tempfile.mkdtemp("ipa")
        os.chown(self.top_dir, pent.pw_uid, pent.pw_gid)
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@ -32,14 +32,15 @@ from ipapython import version, ipautil, certdb
 from ipapython.ipautil import run, user_input
 from ipapython import admintool
 from ipapython.dn import DN
-from ipaserver.install.dsinstance import create_ds_user, DS_USER
-from ipaserver.install.cainstance import PKI_USER, create_ca_user
+from ipaserver.install.dsinstance import create_ds_user
+from ipaserver.install.cainstance import create_ca_user
 from ipaserver.install.replication import (wait_for_task, ReplicationManager,
                                           get_cs_replication_manager)
 from ipaserver.install import installutils
 from ipaserver.install import dsinstance, httpinstance, cainstance
 from ipapython import ipaldap
 import ipapython.errors
+from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform import services
 from ipaplatform.paths import paths
@ -293,7 +294,7 @@ class Restore(admintool.AdminTool):
                raise admintool.ScriptError("Aborted")

        create_ds_user()
-        pent = pwd.getpwnam(DS_USER)
+        pent = pwd.getpwnam(constants.DS_USER)

        # Temporary directory for decrypting files before restoring
        self.top_dir = tempfile.mkdtemp("ipa")
@ -530,7 +531,7 @@ class Restore(admintool.AdminTool):
        srcldiffile = os.path.join(self.dir, ldifname)

        if not os.path.exists(ldifdir):
-            pent = pwd.getpwnam(DS_USER)
+            pent = pwd.getpwnam(constants.DS_USER)
            os.mkdir(ldifdir)
            os.chmod(ldifdir, 0o770)
            os.chown(ldifdir, pent.pw_uid, pent.pw_gid)
@ -755,7 +756,7 @@ class Restore(admintool.AdminTool):
               ]
        run(args)

-        pent = pwd.getpwnam(DS_USER)
+        pent = pwd.getpwnam(constants.DS_USER)
        os.chown(self.top_dir, pent.pw_uid, pent.pw_gid)
        recursive_chown(self.dir, pent.pw_uid, pent.pw_gid)

@ -781,9 +782,10 @@ class Restore(admintool.AdminTool):
                     paths.TOMCAT_SIGNEDAUDIT_DIR]

        try:
-            pent = pwd.getpwnam(PKI_USER)
+            pent = pwd.getpwnam(constants.PKI_USER)
        except KeyError:
-            self.log.debug("No %s user exists, skipping CA directory creation" % PKI_USER)
+            self.log.debug("No %s user exists, skipping CA directory creation",
+                           constants.PKI_USER)
            return
        self.log.debug('Creating log directories for dogtag')
        for dir in dirs:
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@ -28,6 +28,7 @@ from six.moves.configparser import ConfigParser
 from ipalib import api
 from ipalib import x509
 from ipaplatform import services
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipapython import certdb
 from ipapython import ipautil
@ -37,8 +38,8 @@ from ipaserver.install import cainstance
 from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
 from ipaserver.install import service
-from ipaserver.install.dogtaginstance import (
-    PKI_USER, export_kra_agent_pem, DogtagInstance)
+from ipaserver.install.dogtaginstance import (export_kra_agent_pem,
+                                              DogtagInstance)
 from ipaserver.plugins import ldap2
 from ipapython.ipa_log_manager import log_mgr

@ -134,7 +135,7 @@ class KRAInstance(DogtagInstance):
        # Create an empty and secured file
        (cfg_fd, cfg_file) = tempfile.mkstemp()
        os.close(cfg_fd)
-        pent = pwd.getpwnam(PKI_USER)
+        pent = pwd.getpwnam(constants.PKI_USER)
        os.chown(cfg_file, pent.pw_uid, pent.pw_gid)

        # Create KRA configuration
@ -225,7 +226,7 @@ class KRAInstance(DogtagInstance):
        if self.clone:
            krafile = self.pkcs12_info[0]
            shutil.copy(krafile, p12_tmpfile_name)
-            pent = pwd.getpwnam(PKI_USER)
+            pent = pwd.getpwnam(constants.PKI_USER)
            os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid)

            # Security domain registration
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@ -36,11 +36,11 @@ from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN

 from ipaserver.install import replication
-from ipaserver.install import dsinstance
 from ipaserver.install import ldapupdate

 from ipaserver.install import certs
 from distutils import version
+from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths

@ -327,7 +327,7 @@ class KrbInstance(service.Service):
        vardict = {"KRB5_KTNAME": paths.DS_KEYTAB}
        ipautil.config_replace_variables(paths.SYSCONFIG_DIRSRV,
                                         replacevars=vardict)
-        pent = pwd.getpwnam(dsinstance.DS_USER)
+        pent = pwd.getpwnam(constants.DS_USER)
        os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)

    def __create_host_keytab(self):
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -25,6 +25,7 @@ from ipapython import ipaldap
 from ipapython.ipa_log_manager import root_logger
 from ipapython import certmonger
 from ipapython.dn import DN
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaserver.install import installutils
 from ipaserver.install import dsinstance
@ -945,7 +946,7 @@ def copy_crl_file(old_path, new_path=None):
        os.symlink(realpath, new_path)
    else:
        shutil.copy2(old_path, new_path)
-        pent = pwd.getpwnam(cainstance.PKI_USER)
+        pent = pwd.getpwnam(constants.PKI_USER)
        os.chown(new_path, pent.pw_uid, pent.pw_gid)

    tasks.restore_context(new_path)
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@ -23,6 +23,7 @@ import os
 import re
 import contextlib

+from ipaplatform.constants import constants
 from ipapython.ipa_log_manager import log_mgr
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
@ -164,8 +165,8 @@ class TestBackupAndRestore(IntegrationTest):
                                     '--uninstall',
                                     '-U'])

-            self.master.run_command(['userdel', 'dirsrv'])
-            self.master.run_command(['userdel', 'pkiuser'])
+            self.master.run_command(['userdel', constants.DS_USER])
+            self.master.run_command(['userdel', constants.PKI_USER])

            homedir = os.path.join(self.master.config.test_dir,
                                   'testuser_homedir')